Posted
by
timothyon Thursday September 22, 2011 @01:14PM
from the you-probably-should-have-anticipated-this dept.

coondoggie writes "To perhaps no one's surprise, Borders bookstore collected a ton of consumer information — such as personal data, including records of particular book and video sales — during its normal course of business. Such personal information Borders promised never to share without consumer consent. But now that the company is being sold off as part of its bankruptcy filing, all privacy promises are off. Reuters wrote this week that Barnes & Noble, which paid almost $14 million for Borders' intellectual assets (including customer information) at auction last week, said it should not have to comply with certain customer-privacy standards recommended by a third-party ombudsman."

I believe the point is information was shared under the assumption that it would remain confidential, the fact that a company purchasing the scraps of the company that entered into this agreement is no longer willing to honor those conditions is a little disconcerting; it could potentially set a precedent where other information can be "released" without your consent simply because a company stops existing.

The real question is whose asset is your information. Consider that your information is on loan, subject to conditions of contract being fulfilled, at any time you are entitled to recall your private data and in turn the company is no longer required to provide you will value based upon the loan of that data.

The company has gone bankrupt and as such is no longer able to fulfil the conditions of contract the were the basis of the loan of your private data, failure to adhere to the conditions of contract means your private data must be returned to you ie. deleted.

You private data can not be transferred upon bankruptcy under new conditions, because the bankrupt company now owes you a debt, your privacy because it no longer can provide contracted services.

As I understand it, information _about_ you isn't owned by you. Even if it was, companies would just put a clause in their TOS/EULA/Contract/whatever wherein you grant them full and unrestricted use of your information. You could of course refuse these terms, but unless you are prepared to live in the woods somewhere off the land.. good luck with that.

the fact that a company purchasing the scraps of the company that entered into this agreement is no longer willing to honor those conditions is a little disconcerting;

I would say that a company that WOULD honor a set of conditions that it was not party to in the face of a hefty profit would be the surprise. "No longer willing" implies that they were once willing to do so, something that isn't true. They've never been willing to protect Border's data and were not part of any privacy agreement between customers and Borders.

Borders said they wouldn't use the data. Borders is the one who broke the agreement by including that data in the sale, but I doubt they had much say

Tell me about misinfo! I had to deal with it for about two years because of my "doppelganger" as I called him. The guy lived on the other side of town, but he had the same first, last name and middle name (his middle was spelled differently but was the same name) , he had a sister with the same name as mine, and both of his parents had the same names as mine, only they were a couple of years younger than my parents.

I found out it was ending when my landlady used her key to get into my apt one morning and I

Amazon sells many, many things including (but certainly not limited to) herbs, electronics, sex toys, bondage gear, gourmet food, and of course books about almost any subject. Any marketer would love to have detailed shopping histories from Amazon...

A DA riffling through what people bought in his district finds that certain people bought rolling paper, grinders, and an occasional scale.

And anybody foolish enough to buy that combination of items, on Amazon, is an idiot. Those are all items you buy in person, with cash.
That being said, those are all legal items and no sane judge would issue a search warrant based on this type of flimsy circumstantial evidence alone.

Right at the bottom of every marketing message from Amazon is a link to take you to your account page. Don't click on it. Instead open your browser and manually enter the link and enter your account. You can adjust exactly what email they send you from there.

I set up a filter for that. I sometimes need to add a new "newsletter" to it, but it sends those mails that are not-quite-spam to a seperate folder. I can skim over that every few days (cause these com from companys that I perhaps want to do business again with) but they don't disturb me with ringing my phones new mail alert.

Information is an asset I'll admit. But the access to the information was clearly bounded by Border's privacy policy. I really don't understand why the courts are even considering the possibility of allowing it to be sold. If the privacy policy said only Borders would access the data then when Borders ceases to exist than so should the data. B&N can just ask you to give them the info if you choose to under their privacy agreement. The fact that the company would even try to purchase information covered under a privacy agreement with another company puts them on my no-buy list.

Corporations can't be killed. They can be consumed by another corporation but the bits and pieces (especially bits these days) never dies. New corporations feed off the rotting entrails of older ones but they grow up to be functionally all the same.

Much worse than a Zombie infection. Sort of like a rootkit. Reboot all you like, it's still there.

I think the article mentions a "deceptive business practice" clause that could cover this kind of thing. The fact that the information was supplied to you for a specific purpose should bind you to only use it for that purpose. I know I'm being naive but it does seem a rather unethical thing to do. What if for example the courts decide to license out the info from Borders rather than just sell it to one company (or the buying company does it)? Say they see you bought books about animals and the next thing yo

But they are claiming there is something left when they try to sell it. Also if the court is controlling the bankruptcy sale they should be able to say this can be sold, that can't etc. My understanding is you file Chapter 7 but it is an ongoing process it isn't a one time "oh we are done" it is a long involved process potentially with the attempt to salvage the company, sell of parts, etc.

When attempting to salvage parts of the company the Judge doesn't want to rule that something can't be sold. His primary concern is making sure debtors get money back. The data is something that clearly has value to B&N. There is not much damage to consumers if the data is transfered from Borders to B&N. No customer is going to lose money, be embarrased, or go to jail because of this deal. Damages to the consumer is very hypothetical. So why not let it go through.

It is screwy. But I am sorta glad B&N purchased the info and not someone else. At least with B&N we know what that the info will be used in the exact same way it was used under Borders. I would love a ruling that the data needs customer approval for transfer though.

Information is an asset I'll admit. But the access to the information was clearly bounded by Border's privacy policy. I really don't understand why the courts are even considering the possibility of allowing it to be sold. If the privacy policy said only Borders would access the data then when Borders ceases to exist than so should the data. B&N can just ask you to give them the info if you choose to under their privacy agreement. The fact that the company would even try to purchase information covered

I think part of this is legal - B&N doesn't want to find itself ensnared by legal complications resulting from deficiencies in Borders' data collection or handling practices.

While IANAL, From my limited understanding of Bankruptcy law, the courts can basically dissolve nearly any contract in place. So as far as the Bankruptcy court is concerned the Private Policy doesn't exist, and they can sell the information off regardless of what the Private Policy said. The Privacy Policy only protects against what Borders itself can do with the data in the course of their own business, but once you get to Bankruptcy court then all bets are off. That is the problem with Privacy Policies.

Now, if another company simply bought Borders then the Privacy Policy would still be in effect. The issue only comes into play when a company goes through Bankruptcy. Privacy Policies might even survive restructuring under Chapter 11 Bankruptcy; but it won't likely survive Chapter 7 Bankruptcy.

That said, I think this is one area that Congress should address and fix - so the Bankruptcy courts are not so free to break the Privacy Policies, however restrictive the company may have made them.

Bankruptcy is a legal process where you legally break your contracts because you are out of money. The only way to protect data privacy is through legislation that limits how data is transferred in Bankruptcy.

Take a cloud provider goes out of business. Another entity buys up all their servers, and now has free and complete access to the former clients' data. All data can be sold to the highest bidder (even if it is in a hostile country), or just slap it on a 20TB BitTorrent off of thepiratebay? Easily done, and there is not one thing legally that can be done about it.

Until the bankruptcy code addresses this with a stipulation that all data is either

Take a cloud provider goes out of business. Another entity buys up all their servers, and now has free and complete access to the former clients' data. All data can be sold to the highest bidder (even if it is in a hostile country), or just slap it on a 20TB BitTorrent off of thepiratebay? Easily done, and there is not one thing legally that can be done about it.

Until the bankruptcy code addresses this with a stipulation that all data is either erased (with certificates of destruction of data or physical media), one needs to assume any and all "privacy policies" are "we will give any info to any and all we please."

While (again) IANAL, that is probably a little farther fetched as the Bankruptcy court would probably recognize the contract in place and not recognize that data as belonging to the company. Not to say it couldn't happen, but it'd be a lot harder to have happen than the Privacy issue as there is an actual service contract involved. (Not so with the Privacy Policy.)

Very true. To us, it makes sense. However, what is needed in order for this to not be something that ends up bounced in the courts for years is a clear law -- client data on a company that goes bankrupt? The physical machine's drives get zeroed (if the drives support cryptographic erasures), or physically destroyed, and a third party certifies that this has been done to the bankruptcy court.

Ideally, we need a data protection act, where unless there is explicit reason for data to remain on a machine (intr

Very true. To us, it makes sense. However, what is needed in order for this to not be something that ends up bounced in the courts for years is a clear law -- client data on a company that goes bankrupt? The physical machine's drives get zeroed (if the drives support cryptographic erasures), or physically destroyed, and a third party certifies that this has been done to the bankruptcy court.

Ideally, we need a data protection act, where unless there is explicit reason for data to remain on a machine (intrusion attempt, motion of discovery), it has to be destroyed within a reasonable time frame (30 days for Web logs, 12 months for back purchases, etc.) This way, the damage from a bankruptcy would be limited.

While IANAL, From my limited understanding of Bankruptcy law, the courts can basically dissolve nearly any contract in place.

I don' think bankruptcy can dissolve anything other than money contracts. (IANAL either).

Physical property, like land and houses are often accompanied with "contracts" such as covenants, easements, etc.Yet even when these assets get sold thru bankruptcy you can't then claim that the easement or covenant is no longer in force.These are public contracts that bind all future owners.

Similarly a publicly stated privacy policy, and explicitly restrictions on revealing consumer's credit card information, are public contracts.The policy was in place at the time B&N bid on the Borders asset.

Disclosures in connection with acquisitions or divestitures. Circumstances may arise where for strategic or other business reasons Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal and other information to prospective or actual purchasers, or receiving it from sellers. It is Borders' practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets.

Similarly, B&N explicitly states (at least since April) in its privacy policy [barnesandnobleinc.com]:

Sales, mergers, and acquisitions. If Barnes & Noble becomes involved in a merger, acquisition, or any form of sale of some or all of its assets, personal information may be provided to the entities and advisors involved subject to a confidentiality agreement, and we will provide notice before any personal information is finally transferred and becomes subject to a different privacy policy.

So this seems to me to have been in the policy statements of Borders for a long time, most customers knew or should have known about this provision, and Borders provided an opt out link in the page referenced above. Therefore think B&N is well within their rights to use this information.

GM is now doing this regarding an issue with the Chevrolet Impala. They are refusing to warranty work that is covered under the warranty on the grounds that pre-bankruptcy GM and the current GM are two different companies.

hysical property, like land and houses are often accompanied with "contracts" such as covenants, easements, etc.
Yet even when these assets get sold thru bankruptcy you can't then claim that the easement or covenant is no longer in force.
These are public contracts that bind all future owners.

WHile (again) IANAL, I think there is a big difference there. For example, easements are a matter of law - the land in the easement doesn't technically belong to the land holder even though they assume responsibility

The problem is, there are no limits regarding privacy policies for the bankruptcy courts right now. They're just another informal, single-sided contract - one that the court can break.

But again, As I pointed out later in my post, BOTH companies have EXPLICIT statements in their on-line privacy policy stating well in advance that personal information of customers were an asset that WOULD BE INCLUDED in any sale.

The problem is, there are no limits regarding privacy policies for the bankruptcy courts right now. They're just another informal, single-sided contract - one that the court can break.

But again, As I pointed out later in my post, BOTH companies have EXPLICIT statements in their on-line privacy policy stating well in advance that personal information of customers were an asset that WOULD BE INCLUDED in any sale.

Again, that has little to do with the issue at hand. While IANAL the Bankruptcy court can completely ignore what they say they will do in those agreements per a sale. Most all of them state that the conditions will carry through, while the Bankruptcy court can completely ignore that if it so desires.

So no need to break the allegedly single sided contract.

Unless you as an individual (i) sign a copy, (ii) return the signed copy to them, and (iii) receive a copy of what you signed with a signature of one of their representatives (either before or after you signed) then it is a single-sided contract as they are defining the terms of which you have no say in the matter. That is a legal definition. There is no "allegation" going on.

This is an asset they wanted, that was attached to a promise (contract) - basically a liability attached to the asset. Bankruptcy is often used to restructure debt, but this obligation/liability is an intrinsic part of the asset. Better that data be destroyed than transferred apart from the promises of privacy that made the collection of it possible int he first place. If the separation of the data from the privacy policy is allowed, I can see it quickly getting abused.

This is an asset they wanted, that was attached to a promise (contract) - basically a liability attached to the asset. Bankruptcy is often used to restructure debt, but this obligation/liability is an intrinsic part of the asset. Better that data be destroyed than transferred apart from the promises of privacy that made the collection of it possible int he first place. If the separation of the data from the privacy policy is allowed, I can see it quickly getting abused.

IANAL, but there are several kinds of Bankruptcy. Most popular is Chapter 7, which results in Solvency, and Chapter 11/13 (11 for companies, 13 for individuals) which simply allow restructuring of the debt under court supervision. The court can break a lot of contracts in place even under Chapter 11/13; however, they tend not to so long as the contract does not prevent the company/individual from exiting Bankruptcy, which is the ultimate goal of Chapter 11/13 Bankruptcies. However, under Chapter 7 there is

I disagree, that information IS and asset and creditors in order of seniority should have an absolute right to extract as much value in a bankruptcy up to what they lent as possible. This is a pretty fundamental concept of credit and private property which are more basic to our society that even the notion of privacy. That is why what the Obama administration did with Chrysler was such an atrocity.

They take away here is consumers need to learn the lesson that information is an asset. They need to be less

I disagree, that information IS and asset and creditors in order of seniority should have an absolute right to extract as much value in a bankruptcy up to what they lent as possible. This is a pretty fundamental concept of credit and private property which are more basic to our society that even the notion of privacy. That is why what the Obama administration did with Chrysler was such an atrocity.

I'm not stating anything here per what I think about whether the information is an asset. All I am saying is

This sounds not unreasonable. B&N already has a huge amount of information on my book buying habits from my accounts with them (I have a loyalty card, and buy stuff from them online), and they've never used that to spam me excessively. I don't see why they would abuse the more limited info Borders may have on me. At best it would serve to piss me off and be less likely to use them.

Yeah, but with UPS they try to deliver it, you get home, find the card, go to the web site and tell them you'll collect it, but it's too late for them to take if off the truck so you can't collect it the next day, then the next day you go to their office wihch is only open two hours a day and queue up for half an hour and they tell you they forgot to take it off the truck so you'll have to come back again the next day.

I've often had UPS parcels take longer to cover the two miles from their depot to our hous

Beats the hell out of Fedex, who don't come within 100 miles of me, so they receive my package on Monday, sit (possibly literally) on it until Friday, then drop it in the mail to the bus station (Which is literally 4 blocks from the Fedex office in that city!), after which I can pick it up at the local bus station probably on Wednesday.

And don't even get me started on their inability to do simple math and calculate taxes and duty properly, leading to my package getting stuck at customs for a week, without t

Yeah, but with UPS they try to deliver it, you get home, find the card, go to the web site and tell them you'll collect it, but it's too late for them to take if off the truck so you can't collect it the next day, then the next day you go to their office wihch is only open two hours a day and queue up for half an hour and they tell you they forgot to take it off the truck so you'll have to come back again the next day.

I've often had UPS parcels take longer to cover the two miles from their depot to our house than they took to travel half way around the world to the depot. With Fedex I just stop by on the way to work the next day and collect it from them, because they're actually open at sensible times.

This. UPS availability and service just blows for people who have jobs outside the home and can't loll around all day waiting for a package. It's why my first name for all UPS-delivered items (when I know the vendor is planning on using UPS, that is) is "HOLD-FOR-PICKUP", along with another note in the special delivery instructions (if the option is even available on the ordering page). Or, if all else fails, I specify my workplace as the delivery address, but I don't like to do that very often even if t

Borders went out of business because they were too pushy with the Rewards Card. I just wish now that I had not turned it down so I would have standing to file a petition to enter the bankruptcy proceeding as a defrauded creditor.

The final clause in all privacy policies are words to the effect, "this policy is subject to change at any time, with or without notice to you." Now we have an example of what that means.

I have always regarded that a license to defraud the consumer, as they can initially offer privacy terms that are acceptable, then collect your data, then revoke the privacy protections without giving you a chance to change or delete your data.

The final clause in all privacy policies are words to the effect, "this policy is subject to change at any time, with or without notice to you." Now we have an example of what that means.

I have always regarded that a license to defraud the consumer, as they can initially offer privacy terms that are acceptable, then collect your data, then revoke the privacy protections without giving you a chance to change or delete your data.

IANAL, but that is only there so they can update it via the website without specifically telling you what the changes are or that changes occurred. One reason for that is because it can be hard to track someone down when the only information may have changed - e.g. they moved or they got a different phone number, or a different e-mail address and (for any or all) they forgot to tell you about any of the changes. How then would you go about notifying them?

IANAL, but that is only there so they can update it via the website without specifically telling you what the changes are or that changes occurred.

That's what they want you to think, and they may have even meant it at the time. IANAL either, but since the clause does not specify the nature or extent of changes they make, it seems to me they can change it completely, even reversing the entire spirit of the thing, and all they have to do is "post" (read, bury) a notice on their Web site somewhere.

IANAL, but that is only there so they can update it via the website without specifically telling you what the changes are or that changes occurred.

That's what they want you to think, and they may have even meant it at the time. IANAL either, but since the clause does not specify the nature or extent of changes they make, it seems to me they can change it completely, even reversing the entire spirit of the thing, and all they have to do is "post" (read, bury) a notice on their Web site somewhere.

True. All they have to do is update the publicly posted agreement. However, that wouldn't protect them from a Class Action lawsuit - while Bankruptcy court would. (IANAL)

We reserve the right to update our Privacy Policy from time to time. When we do, we will post a notice on the Websites for a reasonable period of time after such changes are made that this Privacy Policy has been updated and we will revise the "Last Modified" date at the top of this Privacy Policy. We encourage you to check this page periodically for any updates. Your continued use of the Websites following the posting of updates to this Privacy Policy will mean you accept those updates.

So if they change the policy to something I no longer find acceptable, I can demand they purge all my data, right? No? Then I fail to see how simply notifying me I've been screwed somehow makes it fair.

This kind of decision would turn every (former) Border's customer into a potential creditor in the bankruptcy proceeding, since it becomes a cost and damage to that customer if the privacy terms already agreed to are changed. Imagine if even 1 person of Border's (former) customer were to file a petition with the bankruptcy court to enter as a creditor.

This kind of decision would turn every (former) Border's customer into a potential creditor in the bankruptcy proceeding, since it becomes a cost and damage to that customer if the privacy terms already agreed to are changed. Imagine if even 1 [percent] person of Border's (former) customer were to file a petition with the bankruptcy court to enter as a creditor.

Even if this, shall we say novel, concept of counting you as a creditor based on some implied contract in the privacy terms actually flew with the court (I doubt it, but I'm humoring you) the whole point of bankruptcy is that the debtor cannot honor all its creditors going forward. That's what it means to be asset-insolvent -- you owe creditors more than you are worth and so many of them, by necessity, don't get the obligations honored.

Since, even in your theory, you took an un-secured (no-collateral was of

This kind of decision would turn every (former) Border's customer into a potential creditor in the bankruptcy proceeding, since it becomes a cost and damage to that customer if the privacy terms already agreed to are changed. Imagine if even 1 person of Border's (former) customer were to file a petition with the bankruptcy court to enter as a creditor.

First, you would be an unsecured creditor. Second, you'd have to address the valuation of your claim. Third Litigation of that claim would be expensive. F

Along the lines of corporations are people. If someone has private pictures of you on their computer, and has promised never to show them to anyone else, but they die and someone buys their computer at an estate sale, you're sort of SOL.

So, if I buy a harddrive from someone, and it has some software installed on it, that means that I can do whatever I want with it because I didn't agree to the ToS! Right...?

Someone should distribute the information for the entire management-level people at B&N. Phone, address, list of children, VISA numbers... And, then of course, anybody with that information would say that they couldn't possibly be bound by any terms of use because they never made any agreement.

Paint of an example for these people. Leave them voicemails about how important privacy is. Send them mail about how important privacy is. Use their credit card to buy yourself books from Barnes and Nobles (or buy books about privacy and ship the books to their addresses). But for the love of all that is good, leave their kids and families out of it.

I think B&N is asserting the opposite of that, whichis Ardeaem's point.

Nope. If Borders bought a hard drive before they went bust, then that would be their property to be auctioned off. Similarly, the data Borders had about you is their property, which is to be auctioned off.

People are acting as though the data Borders collected belongs to them, rather than the company.

Hopefully this may help a few people realise the perils of letting random companies collect data about them.

It's bankruptcy, judges can get rid of contract classes as they see fit. Want it fixed you need a federal law (or patchwork of state laws) precluding the sale, lease or otherwise transfer of all personally identifying information without the consent of that person at the time of transfer (aka no fine print you allow this forever BS). Might want to tack on a company must expunge that same info opon request, or after n years of inactivity.

If B&N made this an optional thing for consumers, I'd be okay with it. "Were you a Borders Rewards user? Like to have your personal preferences and history transferred over to our B&N card? Just let us know, and as a transferring bonus, we'll give you an extra 10% off any one item." Yeah, I might sign up if it was presented to me as a choice.

But that's bad business. Giving away a 10% discount when you can just take with no further consideration than the actual bankruptcy purchase price of the IP and the small cost of lawyers to persuasively make your case to the bankruptcy court? Completely unnecessary.

You're paying the lawyers anyway, and you'd have to buy the IP to even have the chance to ask every Joe Bagodonuts "Mother may I", so you might as well just do it and save yourself some money. Even if you have to retain a few lawyers to fend off

You have to scroll way down to find this, but this is part of the Borders privacy policy:

Disclosures in connection with acquisitions or divestitures.Circumstances may arise where for strategic or other business reasons Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal and other information to prospective or actual purchasers, or receiving it from sellers. It is Borders' practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets.

If the company buying the data at auction is not held to the same privacy standards as the original, this means that shell companies can be formed to gather information under strict nondisclosure, then intentionally fold and provide the information without restriction and in violation of the original disclosure agreement.

If the company buying the data at auction is not held to the same privacy standards as the original, this means that shell companies can be formed to gather information under strict nondisclosure, then intentionally fold and provide the information without restriction and in violation of the original disclosure agreement.

And when big-box retailers form subsidiaries to manage all that precious data, and those subsidiaries mysteriously get mismanaged to the point they get reorganized regularly, voiding all privacy promises each time, where will you shop? If B&N gets away with it, I expect Wal-Mart and Best Buy to quickly farm out all customer data collection to a "separate" company, i.e. "Wal-Mart Consumer Interaction Contractor" and "Best Buy Communications, Inc."

Honestly, I don't care if Borders gives my purchase history to B&N. That should be the only thing they get, though.
I shopped at both stores. It would be great if B&N would use this data to send me coupons for science fiction books!

This became a well-settled area of law when lawsuits by Scientology drove the Cult Awareness Network into bankruptcy. The Scientologists were able to get a hold of CAN's confidential files in the BK, despite strenuous objections by many parties.

If those files can't be protected, I don't see your book purchasing habits at Borders being particularly sarconsact.

Barnes & Noble, which paid almost $14 million for Borders' intellectual assets (including customer information) at auction last week, said it should not have to comply with certain customer-privacy standards recommended by a third-party ombudsman.

In unrelated news, I say customers should not buy anything from Barnes and Noble ever again.

Barnes and Noble's argument that the Borders customers whose data they bought will be protected by their own policy is specious. The very act of B&N purchasing the information is in and of itself a violation of the previous privacy agreement. That's like a bank robber saying, "Sure, I took the money, but don't worry, I won't share it with any other criminals."

You must have been going to a different borders than I did, around here there was one big one and the layout was confusing and disorganized and the selection was worse than the BN of about the same size. They also had several horribly overpriced mall stores with big displays of guiness book of records and ripley's believe it or not

my thought when they announced borders was closing was more bewilderment how they lasted this long than anything else

I always make purchases when I visit B&N... I browse the selection, scan the ISBN with my phone, and have the book shipped free via Amazon Prime!

This isn't strictly true anymore, but it used to be. Today, most of my book purchases are directly with the publishers that will sell me DRM-free digital copies or from used bookstores. B&N has done very badly with their online store in identifying the format of books and if they contain DRM or not. (They're not all epub)